Dec 92019

German DSK Issues GDPR Fining Methodology Guidelines

William RM Long, Kolja Stehl, Lauren Cuyvers and Anna-Shari Melin
, , , ,

Recently, the Association of German Data Protection Authorities (“Datenschutzkonferenz” or “DSK”) issued guidelines setting a GDPR fining methodology (“Fining Methodology”).  GDPR enforcement across the EU has picked up over the past year.  This Fining Methodology has been issued at the time of a significant increase in GDPR enforcement action across the EU.  The European Data Protection Board (“EDPB”) reported a total of 281,088 national enforcement actions being initiated as of May 22, 2019 (approximately one year after the GDPR’s entry into application).  Since then, data protection authorities across the EU have been initiating enforcement and fines on a daily basis.  In particular, in the UK, the Information Commissioner’s Office (“ICO”) has issued two notices of intention to fine of  €114m and €215m for failure to implement appropriate data security measures.

Authorities are not focusing solely on large or (data-rich) companies in specific industries, as may have been expected.  Instead, they have been taking an aggressive approach to GDPR non-compliance in relation to companies of varying degrees of size and a broad range of industries, including enforcing in situations where there has been no actual loss of personal data (e.g. in the case of a data breach) or harm to individuals.  So, for example, a number of fines have recently been imposed against businesses retaining data on systems for longer than is necessary in contravention of the GDPR’s data minimization and data storage principles.  This includes a fine of €400,000 against a public housing company in France, a €14.5m fine against a real estate company in Germany, a kr. 1.5m fine against a furniture manufacturer in Denmark and a kr. 1.2m fine against a taxi company in Denmark.

Data protection authorities have now also started to formalize how they will be imposing fines.  The UK ICO issues ‘intentions to fine’ after which companies subject of the enforcement can make representations in an attempt to reduce the fine.  In addition, the Dutch data protection authority had already come out with its fining methodology and most recently, the German DSK has adopted a methodology of its own as well.  Without pan-EU guidance from the EDPB, national data protection authorities in the EU are adopting their own fining methodologies and are beginning to apply this in their enforcement actions.  The German DSK Fining Methodology in particular takes an aggressive stance with respect to fining due to the high thresholds put forward in the methodology.  These new GDPR fining methodologies will likely lead to fines ranging around the maximum thresholds foreseen in the GDPR (up to 4% of global annual turnover).

5-Step Process

The DSK’s Fining Methodology is complex, and provides for a five-step process to follow when determining the amount of an administrative fine.

Step 1: the undertaking subject of enforcement is categorized depending on its turnover in the preceding year.  The concept of ‘undertaking’ is interpreted in accordance with the meaning of an ‘undertaking’ under EU competition law, and may comprise more group entities than just the entity that has committed or is involved in the infringement.  The involvement of an entity is triggered when it exercises ‘decisive influence’.  For example, a parent company is presumed to exercise decisive control over its wholly owned subsidiary.  The blanket transposition of this concept into EU data protection law, however, significantly increases annual turnover and basis for a fine.

Step 2: the undertaking is allocated an annual average turnover amount in accordance with the category set in step 1.

Step 3: the undertaking’s ‘economic base value’ or daily average turnover amount is calculated by dividing the amount under Step 2 by 360.  This daily amount will ultimately serve as the basis of the fine.  Note that the actual turnover of an undertaking is only taken into account when the annual turnover exceeds €500m.  In this case, the fine may amount to a given percentage (2-4%) of actual turnover.

Step 4: the base value is multiplied with a factor between 1 and 12 to reflect the gravity of the infringement.

Step 5: additional mitigating or aggravating factors are taken into consideration (to the extent these have not yet been taken into account under Step 4).  These may include the degree of cooperation with the authority, the intentional or negligent character of the infringement, and the nature of the personal data and scope of the processing involved.

The Fining Methodology provides for detailed tables to determine the basic amount of the fines (as provided for in Step 1-3).  These show that the lowest possible fine for a company with an actual annual turnover between €200-300m is €694,444 for minor infringements without any aggravating circumstances.

Recent Enforcement Action Using DSK Fining Methodology

German data protection authorities have already started to apply the DSK Fining Methodology.  In particular, the Berlin data protection authority recently issued a fine of €14.5m fine using the five-step process outlined above.  The case related to excessive data retention by a real estate company and a failure to implement the privacy-by-design principle (press release in German is available here).  Importantly, the Berlin authority accepted certain mitigating factors, including the company’s due cooperation with the authority, and the measures that it had taken to remedy the infringement and so reduced the original fine of €28m.

Next Steps 

The EDPB, tasked with ensuring the consistent application of the GDPR throughout the EU, is expected to adopt a harmonizing fining methodology but no timeline has been made available for this effort.  Until then, the DSK Fining Methodology and methodologies of other national authorities remain valid and are likely to lead to significant GDPR fines in the future.

In the meantime, companies should consider reviewing their GDPR programs to check they are in line with GDPR requirements and follow GDPR enforcement actions.  In addition, companies with cross-border processing activities should consider how the GDPR’s one-stop-shop mechanism may apply to them, including identification of a lead data protection authority.

William RM Long

London

wlong@sidley.com

Kolja Stehl

London, Munich

kstehl@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Anna-Shari Melin

Munich

amelin@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.